Discover an in-depth knowledge about the different kinds of iOS hacking tools and techniques with the free iOS Hacking Guide from Security Innovation.

HTTP is a plaintext protocol. As such, it creates inherent security and privacy concerns when used by applications. Apple, for instance has (finally) decided to start treating the secure alternative, HTTPS, as the de facto Web protocol for iOS mobile apps. At WWDC16, Apple pointed out that enabling HTTPS doesn’t necessarily mean that you’re secure. There are many ways in which HTTPS can be improperly configured. Thus, resulting in the use of insecure connections.

What Is Application Transport Security (ATS)?

ATS was introduced by Apple in iOS 9 as a built-in utility to protect network communications. Out-of-the-box, ATS enforces a TLS configuration with the following criteria:

Apps can only connect to servers using the TLS 1.2 protocol.

Apps can only connect to servers providing strong ciphers.

Strong ciphers are described as AES128+ and SHA2+

Apps must connect to servers using perfect forward secrecy (PFS). However, Apple has stated that they’ll allow exceptions to this (for now).

Disabling ATS

At Cigital, we test many iOS 9 apps. We’ve observed that most developers tend to disable ATS completely (via the Info.plist, using “Allowing Arbitrary Loads”). While this is currently acceptable to Apple, they’ve announced that at the end of 2016 they will no longer allow it.

Enforcement Is Coming

With the start of 2017, applications with ATS exceptions will require a valid reason for Apple to grant an exception. Acceptance will be at Apple’s discretion during App Store review. Therefore, app developers should begin planning for this now—if you haven’t already.

Engineering teams should start working with architectural and infrastructure teams to discuss how and when to implement secure server-side TLS configuration.

Diagnosing Connectivity Problems

Once you’ve enabled server-side TLS, you can check your configuration and identify compatibility issues. Go about this by using nscurl on an OSX/macOS system. For example, using www.cigital.com as the target domain:

This output shows that the server supports the default ATS connection. Thus, ATS will work out-of-the-box for this host. Your application will now be able to communicate to this host securely (without disabling ATS). If the output says FAIL, something is misconfigured and the issue requires further diagnosis.

Alternatively, developers can set the CFNETWORK_DIAGNOSTICS environment variable to 1 within the Xcode project. This captures networking-based debug logging which too can help diagnose ATS connection issues.

What If I Can't Enable Strong TLS Right Now?

There are numerous exception types available within ATS, most of which have legitimate use cases. Here are some examples:

NSAllowsArbitraryLoadsInWebContent – Used for accessing and displaying Web content through WKWebView objects.

This was not available until iOS 10.

NSThirdPartyExceptionAllowsInsecureHTTPLoads – See above, but for third-party domains.

NSThirdPartyExceptionRequiresForwardSecrecy – See above, but for third-party domains.

NSThirdPartyExceptionMinimumTLSVersion – See above, but for third-party domains.

What About Domains I Don't Own?

Many applications communicate with third-party domains in addition to the domains under the same ownership as the application itself. In this scenario, you can disable ATS for a specific domain, declaring also that it is a third-party domain. Here’s how to achieve this:

In this scenario, NSThirdPartyExceptionAllowsInsecureHTTPLoads is set to true. This allows HTTP connections for the www.cigital.com host.

It is also advisable to speak to your third-party vendors and ask them to upgrade their infrastructure to support ATS where possible. Of course, exceptions (such as those seen above) will require justification during App Store review. It’s important to bear this in mind.

Summing it up.

ATS enforcement is looming. As such, start planning support for ATS now in order to meet the deadline. Don’t panic if you’re finding that you can’t enable ATS globally. There are justifiable exceptions that Apple will consider. However, make an attempt to plan your release dates accordingly to compensate for any push-back from Apple.

When possible, also strive to comply with ATS configuration rather than relying on exceptions. This avoids unnecessary delays when going live, and most importantly provides greater security to the app and its users.

Learn about the importance of a strong culture of cybersecurity, and examine key activities for building – or improving – that culture within your organization.